Not sure this is the right place for this. Hopefully this will be a quick and easy answer to my question. I ran clamAV on IPFire the other day. All was fine until I scanned /var. There were 12 hits of which 10 were located in backup files. Here is a copy of my output:
/var/cache/suricata/idsrules-emerging.tar.gz: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
/var/ipfire/backup/2022-03-10-19:31.ipf: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
/var/ipfire/backup/2022-07-11-08:11.ipf: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
/var/ipfire/backup/2022-09-24-15:56.ipf: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
/var/ipfire/backup/2022-07-14-06:30.ipf: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
/var/ipfire/backup/2022-04-30-05:51.ipf: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
/var/ipfire/backup/2022-03-29-09:16.ipf: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
/var/ipfire/backup/2022-07-11-08:10.ipf: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
/var/ipfire/backup/2022-10-21-06:05.ipf: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
/var/ipfire/backup/2022-06-19-07:29.ipf: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
/var/ipfire/backup/2022-04-05-04:55.ipf: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
/var/lib/suricata/emerging-web_client.rules: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8643507
Engine version: 0.105.1
Scanned directories: 1912
Scanned files: 10597
Infected files: 12
Data scanned: 3645.33 MB
Data read: 2163.69 MB (ratio 1.68:1)
Time: 405.828 sec (6 m 45 s)
The command I ran was: clamscan -r -i -o /var
Now, here is my question.Is /var/lib/suricata/emerging-web_client.rules: Html.Exploit.CVE_2018_8373-6654754-1 normal? Part of the clamAV section of suricata? There are no other areas showing infection. Am I correct in my assumption that this is normal?
It looks that this result should be expected.
The emerging-web_client.rules entry has a rule that is enabled by default named
ET WEB_CLIENT VBscript UAF (CVE-2018-8373)
This has the same CVE number that the clamav signature that has been flagged is checking for.
You could disable that suricata rule but then clamav would be flagging any infections only once they are on your system.
The better approach would be to keep the suricata rule and either not scan the /var directory with clamav, or if you feel that scanning /var is required then to whitelist the Html.Exploit.CVE_2018_8373-6654754-1 signature in clamav.
Thank you very much for your quick response. I will follow your suggestion to the letter.